Einloggen, um private Nachrichten zu lesen TOPFIELD.de Board Foren-Übersicht » TAP » Firmware location in memory?    Vorheriges Thema anzeigen :: Nächstes Thema anzeigen  Firmware location in memory? Verfasst am: Fr 17. Jun 2005, 23:14 phrig Neuling   Anmeldungsdatum: 17.06.2005 Beiträge: 6 I have recently got a Topfield 5800PVRt. Could someone tell me where the memory address of the flash eeprom that holds the firmware please? Is there a memory map somewhere that would guide me? Thakyou, phrig. Re: Firmware location in memory? Verfasst am: Fr 17. Jun 2005, 23:32 Happy TAP-Guru   Anmeldungsdatum: 19.04.2003 Beiträge: 365 Wohnort: Malsch bei Karlsruhe phrig hat folgendes geschrieben:: I have recently got a Topfield 5800PVRt. Could someone tell me where the memory address of the flash eeprom that holds the firmware please? Is there a memory map somewhere that would guide me? Thakyou, phrig. Welcome to our forum. This might answer your question: http://board.topfield.de/viewtopic.php?p=153656#153656 Regards, Happy _________________ http://topfield.hepke.com ------------------------------------------- TF 5500 PVR - 300GB Maxtor - TF4000 PVR - 160GB Samsung - Yamaha RX-V 1500 - Autostart-TAPs: Autodelete, Jag's EPG, Improbox, Automove, Nice Display Verfasst am: Fr 17. Jun 2005, 23:48 phrig Neuling   Anmeldungsdatum: 17.06.2005 Beiträge: 6 Thanyou for that Happy. I have already dumped a lot of the locations but have not found where in memory the actual eeprom address lives Verfasst am: Fr 17. Jun 2005, 23:51 Happy TAP-Guru   Anmeldungsdatum: 19.04.2003 Beiträge: 365 Wohnort: Malsch bei Karlsruhe phrig hat folgendes geschrieben:: Thanyou for that Happy. I have already dumped a lot of the locations but have not found where in memory the actual eeprom address lives Hi phrig, if you look into the signatures of the mentioned thread you even find a disassembler tool. Good luck Cheers, Happy _________________ http://topfield.hepke.com ------------------------------------------- TF 5500 PVR - 300GB Maxtor - TF4000 PVR - 160GB Samsung - Yamaha RX-V 1500 - Autostart-TAPs: Autodelete, Jag's EPG, Improbox, Automove, Nice Display Verfasst am: Fr 17. Jun 2005, 23:59 Acade Erfahrener Benutzer   Anmeldungsdatum: 19.04.2005 Beiträge: 56 Wohnort: Bayern Hi phrig, we are not examining the actual flash memory or the eeprom, instead we look into the unpacked code beginning at address 0x8000 0000 (as you already know ...) In fact, I have no idea about the addresses of eeprom and flash memory, but it's not so important anyway. Does anybody else know more about this? Ciao, Acade _________________ TF5000PVR / FW 5.11.55 http://acade.au7.de/disasmips.htm Verfasst am: Sa 18. Jun 2005, 0:20 phrig Neuling   Anmeldungsdatum: 17.06.2005 Beiträge: 6 I had a look at Acade's disassembler a couple of days ago, and a very nice bit of kit it is! Having played around with some simple TAPs to prove to myself I could alter the code that was being run (I just changed the amount of bytes that the 'dump' command from the serial connection gives from 0x100 to 0x1000) I started searching for groups that were also looking into the Topfield firmware...and found here I would like to be able to see the loader code and the compressed firmware in a memory dump, but I do not know or think it is important..I am just a curious person. ...later, phrig. Verfasst am: Di 21. Jun 2005, 0:09 DeadBeef Erfahrener Benutzer   Anmeldungsdatum: 28.03.2005 Beiträge: 90 Wohnort: am Schwäbischen Meer @phrig As far as I understand the FW is stored uncompressed in the flash. As mentioned above the executable code starts at 0x80000000. Possibly it is only a RAM mirror of the actual flash (I haven't tested it yet). The "print eeprom" command (at the serial interface) provides the address and the contents of the EEPROM. It also looks like a RAM mirror of the actual EEPROM content because the provided address is different in various FW versions. There is also some data starting at 0xa3ffff0 (e.g. system ID at 0xa3fffff8). I have not looked at the loader yet because it was not that important to me. I guess it is located at the reset address of the CPU (whatever it is). Are you looking for anything particular to improve/enhance FW functionality? Cheers, DeadBeef _________________ DeadBeef's TAP Collection Verfasst am: Di 21. Jun 2005, 2:07 phrig Neuling   Anmeldungsdatum: 17.06.2005 Beiträge: 6 >Are you looking for anything particular to improve/enhance FW functionality? Not really, just 'playing'. Only just got my unit, and having a little experience with mips I thought I would experiment a little. Opening up a fuller API would be nice; from within the TAPs environment,(and since no Symbol Table has been compiled in, that is a difficult challenge). I looked at some of your work on the other 'hidden' serial commands within 'TF5000PVRt-Eur-TOPFIELD-SYS_416-2005Mar30.zip' (as it happens our 5800 does not have them). But, interestingly these commands have been assembled in a different fashion, leaving a trail to their function position (which you obviously know already). From that info. I can get at least a guess as to what is happening on the 5800 from the 'calls' made from within these functions. Any assistance would be appreciated. On the UK website there are only a couple of people that seem interested in low level stuff. I would like to know what is worth searching for...and why? The more people looking at the FW the better off we become...with knowledge. ...later, phrig. Verfasst am: Di 21. Jun 2005, 21:08 FireBird Dauerglotzer   Anmeldungsdatum: 09.04.2004 Beiträge: 252 Wohnort: Wien Hi, DeadBeef hat folgendes geschrieben:: There is also some data starting at 0xa3ffff0 (e.g. system ID at 0xa3fffff8). Did you find a pointer pointing to a 0xA-address? I did some short tests and it looks like that the 64MB SDRAM is mapped from 0x80 to 0x84 and mirrors to other addresses due to incomplete address line decoding. Code: 80=84=88=8C=A0=A4=A8=AC 81=85=89=8D=A1=A5=A9=AD 82=86=8A=8E=A2=A6=AA=AE 83=87=8B=8F=A3=A7=AB=AF This would allow up to 512MB of SDRAM. Finding an pointer operation outside of 80-84 would prove my theory wrong. Till now I was unable to find a datasheet for NECs uPD61130, just a block diagram on their web site. @ phrig: the EEPROM is a serial device (24C02) so won't find the device mapped to a memory location except for register access. Regards, FireBird Verfasst am: Di 21. Jun 2005, 23:49 DeadBeef Erfahrener Benutzer   Anmeldungsdatum: 28.03.2005 Beiträge: 90 Wohnort: am Schwäbischen Meer @FireBird Yes, I have found a couple of code segments addressing 0xa3ffffe0-0xa3fffffc. The code is located between 0x80003e60 and 0x80003f6c (the notation is "lui reg, 0xa400" and "lhu reg1, -8(reg)" and the like). I guess that at least this area is not mirrored to RAM. @phrig I believe that I found the original location of the flash - it starts at 0xbfc00000. I have not verified it yet with my Topfield but operations executed on that area are typical for flash control cycles. Topfield seems to support a great variety of flash devices. And last but not least, it is true that there is no additional debug functionality in the FW for 5800PVR. The code is just not present. I guess it is not supposed to be in the FW for 5000PVR either because it is not referenced from anywhere within the FW. Cheers, DeadBeef _________________ DeadBeef's TAP Collection Verfasst am: Mi 22. Jun 2005, 1:31 FireBird Dauerglotzer   Anmeldungsdatum: 09.04.2004 Beiträge: 252 Wohnort: Wien DeadBeef hat folgendes geschrieben:: I believe that I found the original location of the flash - it starts at 0xbfc00000 This one looks good: Code: BFC00000-BFC0FFFF: Flash - Loader (64k) BFC10000-BFDBFFFF: Flash - Firmware (1,7MB .tfd compressed) BFDC0000-BFDDFFFF: Flash - Sat/Timer... Tables (128kB .std compressed) BFDE0000-BFDFFFFF: Flash - P (128kB .std compressed) I've found the same data starting at 0x9FC00000, 0x9FE00000 and BFE00000. I don't know what the last area, marked with a P, is good for. The LED display uses the letter P when the Toppy reads or writes to that area. Verfasst am: Mi 22. Jun 2005, 21:32 phrig Neuling   Anmeldungsdatum: 17.06.2005 Beiträge: 6 Well done! I don't see anything with a 0xbfc0000 dump except 00's, then changing to data at 0xbfcb3b00. It does exist at 0x9fc00000. On my 5800: The code 'returns' from the first jump at 0xbfc0000 by doing a 'jr' to 0xBFC00224; that code (assuming it is identical to the code I see at 0x9.....) then 'returns' with a 'jr' to 0x9FC00340. This code looks to uncompress some code from 0xBFC02000 into 0x81000000 and passes program control that. What is an ".std compressed"? and is the code at 0xBFC02000 the same type of compression? ...later, phrig. Verfasst am: Mi 22. Jun 2005, 22:23 FireBird Dauerglotzer   Anmeldungsdatum: 09.04.2004 Beiträge: 252 Wohnort: Wien Hi, I’m talking about my 5000PVR, so our findings may differ. The .std-file is used by the simple settings editor Vega provided by Topfield. The editor is meant for the satellite version of the 5000. Perhaps you know the .tfd-file if you’ve upgraded the firmware of your STB. It is nothing else then a stream of compressed data packets and is not limited to firmware packets. In contrast to the .tfd, the .std file has a directory at the beginning and it seems that it was developed for random access. But both formats use the same AR002 compression algorithm developed by Haruhiko Okomura. As I said, this may look different on a PVRt and especially on your 5800. Regards, FireBird Verfasst am: Do 23. Jun 2005, 1:58 phrig Neuling   Anmeldungsdatum: 17.06.2005 Beiträge: 6 While appreciating we have different units I would think the basics would be similar within the loader routines? At 0xBFC02000,; do you guys find 'compressed' code? ...and can that code be decompressed easily? ...later, phrig. Verfasst am: Do 23. Jun 2005, 19:12 FireBird Dauerglotzer   Anmeldungsdatum: 09.04.2004 Beiträge: 252 Wohnort: Wien All I can say right now is that this block doesn't contain one of the standard headers. Verfasst am: Do 23. Jun 2005, 22:46 DeadBeef Erfahrener Benutzer   Anmeldungsdatum: 28.03.2005 Beiträge: 90 Wohnort: am Schwäbischen Meer The I2C registers for EEPROM control seem to be at the addresses 0xb2007000, 0xb2007010, 0xb2007040 (data) and 0xb2007050 (cmd/status). There is another I2C controller with a register block starting at 0xb2008000. Again, these are unverified assumptions derived from the FW code. @phrig Is it correct that you have a PRV for the DVB-T? The only FW release available for download seems to be for the DVB-S. Cheers, DeadBeef _________________ DeadBeef's TAP Collection Firmware location in memory?   TOPFIELD.de Board Foren-Übersicht » TAP Du kannst keine Beiträge in dieses Forum schreiben. Du kannst auf Beiträge in diesem Forum nicht antworten. Du kannst Deine Beiträge in diesem Forum nicht bearbeiten. Du kannst Deine Beiträge in diesem Forum nicht löschen. Du kannst an Umfragen in diesem Forum nicht mitmachen. Alle Zeiten sind GMT + 2 Stunden   Seite 1 von 1   Alle Beiträge1 Tag7 Tage2 Wochen1 Monat3 Monate6 Monate1 Jahr Die ältesten zuerstDie neusten zuerst  Forum auswählen Topfield.de----------------Anfänger und NeuankömmlingeTopfield CaféTopfield Neuigkeiten TF5x00 Serie----------------TF5000PVR/TF5500PVR AllgemeinesTF5000PVR/TF5500PVR TechnikTF5000PVR/TF5500PVR Bugs & FehlerTF5000PVRt - Terrestrischer EmpfangTF5000CI TF4000 Serie----------------TF4000PVR AllgemeinesTF4000PVR TechnikTF4000PVR Bugs & FehlerTF4000FE AllgemeinesTF4000FE Bugs & Fehler TF3000 Serie----------------TF3000 AllgemeinesTF3000 Bugs & Fehler Topfield-Modding----------------TAPHardware Gesonderte Themen----------------Klone und KopienHeißes Reißen - Filme kopieren und brennenCIs - Steckkarten für den TopfMac-Corner Topfield international----------------worldwide Topfield CaféTopfield BugsTopfield WishlistTF5000PVR specific Offtopic----------------Allgemeiner ChatSuche & BieteMeckerecke Verwaltung----------------Bugs im BoardTopfield Internet